From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D37F2DE444; Mon, 14 Apr 2025 13:32:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744637543; cv=none; b=vFT5IeYXQeTKNsS3HdMH82NiQtY6SvZ3Yhy+mE36pEkF7JlglykG8dL8I5oHsc1wwGc730n7a1Bi4nXWNoWoPJdxI2HacAwDmkq27x12VLyiX8Q0qxL+IsouFHRI2QXiNc/WLKMOgb/l6lGkZJNL1CA4MeKhkkkjw8tp2NBtLrU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744637543; c=relaxed/simple; bh=loXYO8n1qZIRscLbqjgFDKa3b0uWIsgp0jeUEqmCJGM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=BXBAB6MPwe8/bFstYmwQN5cbn390ISInuSCMrOyJz6nA25Xg7eUpSUI7DSXxf6UjvkwUd3ZP8ttfR/sduVL+wv74/G7++QpGxT6SZaY6ILbeRIi0A14huEXgcfiKOGFoUv6UYy0R52s5iO6Z/2cL1JRXNYy04nt4/qQFBY8DSsw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Glyr+NDQ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Glyr+NDQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 691CFC4CEE2; Mon, 14 Apr 2025 13:32:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1744637542; bh=loXYO8n1qZIRscLbqjgFDKa3b0uWIsgp0jeUEqmCJGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Glyr+NDQnIxK4bPbH/OohWmY8W+H/fqbiN1BVlJRgJfPbl4TVi4cwN03nv8B+sBu6 xehKw0cTAzwjmEt2otx1gumQ/DxnmqoP6ujamPJFQHxfkGTJA7ViVjjcMOx19S9eP2 SbUm71ZE3x6BPZZ1lzsBmgcgXkuMbAlzjs/VQRMB8EiRZPkoDIsSUkzEADoURsQQfc 6ykLuGs6tOzAouhCTrJBpEpB92pnxWBHeED5jSrADVTeldVV52mj0Tsoe1V2Voeihc 2VfbJsBDD84Zx3lMIeBrPTrJTVwYA6aVBcuIsvhQTqdGbgtUFgWAzW4cEtoS1Je3D8 Nj1/UblwArF/Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ojaswin Mujoo , Baokun Li , Jan Kara , Zhang Yi , Theodore Ts'o , Sasha Levin , adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org Subject: [PATCH AUTOSEL 5.10 11/11] ext4: make block validity check resistent to sb bh corruption Date: Mon, 14 Apr 2025 09:31:58 -0400 Message-Id: <20250414133158.681045-11-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250414133158.681045-1-sashal@kernel.org> References: <20250414133158.681045-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 5.10.236 Content-Transfer-Encoding: 8bit From: Ojaswin Mujoo [ Upstream commit ccad447a3d331a239477c281533bacb585b54a98 ] Block validity checks need to be skipped in case they are called for journal blocks since they are part of system's protected zone. Currently, this is done by checking inode->ino against sbi->s_es->s_journal_inum, which is a direct read from the ext4 sb buffer head. If someone modifies this underneath us then the s_journal_inum field might get corrupted. To prevent against this, change the check to directly compare the inode with journal->j_inode. **Slight change in behavior**: During journal init path, check_block_validity etc might be called for journal inode when sbi->s_journal is not set yet. In this case we now proceed with ext4_inode_block_valid() instead of returning early. Since systems zones have not been set yet, it is okay to proceed so we can perform basic checks on the blocks. Suggested-by: Baokun Li Reviewed-by: Baokun Li Reviewed-by: Jan Kara Reviewed-by: Zhang Yi Signed-off-by: Ojaswin Mujoo Link: https://patch.msgid.link/0c06bc9ebfcd6ccfed84a36e79147bf45ff5adc1.1743142920.git.ojaswin@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin --- fs/ext4/block_validity.c | 5 ++--- fs/ext4/inode.c | 7 ++++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c index 295e89d93295e..5d5befac5622b 100644 --- a/fs/ext4/block_validity.c +++ b/fs/ext4/block_validity.c @@ -353,10 +353,9 @@ int ext4_check_blockref(const char *function, unsigned int line, { __le32 *bref = p; unsigned int blk; + journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; - if (ext4_has_feature_journal(inode->i_sb) && - (inode->i_ino == - le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) + if (journal && inode == journal->j_inode) return 0; while (bref < p+max) { diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index c991955412a49..7d31506deb9e5 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -409,10 +409,11 @@ static int __check_block_validity(struct inode *inode, const char *func, unsigned int line, struct ext4_map_blocks *map) { - if (ext4_has_feature_journal(inode->i_sb) && - (inode->i_ino == - le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) + journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; + + if (journal && inode == journal->j_inode) return 0; + if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) { ext4_error_inode(inode, func, line, map->m_pblk, "lblock %lu mapped to illegal pblock %llu " -- 2.39.5